Skip to Menu Skip to Search Contact Us UK Websites & Languages Skip to Content

Small and medium sized businesses can face costs of up to £65,000 as the result of a severe information security breach, according to the most recent Information Security Breaches Survey by the Department for Business, Innovation and Skills.

The survey shows that 78% of large organisations were attacked by an unauthorised outsider in the last year and that smaller businesses, “which used not to be a target, are now also coming under increasing attack”. 

The average cost of the worst security breaches is £35,000 to £65,000 for smaller organisations, and £450,000 to £850,000 for larger organisations.  

“Many businesses would claim that information is their most valuable asset, yet they do not develop a culture that gives priority to keeping information secure,” says Richard Skipsey of SGS United Kingdom Ltd. “Effective information security must be championed, funded and managed from the top down. It needs to be implemented as part of an overall business strategy, not in isolation.”

SGS has just updated its free booklet on ‘Issues to be considered when establishing an Information Security Management System’ to help companies which are thinking about aiming for ISO 27001:2013, the revised international standard covering the security  organisation’s information and IT systems.  To download the booklet, go to

“Even if an organisation does not want to commit to attaining the standard – although more and more businesses and government bodies are making it a requirement in suppliers’ tender documents – the booklet helps owners and senior managers clarify where they might be vulnerable in losing information,” says Mr Skipsey,

He emphasises that the strategy must include all information that is valuable to an organisation – from research and design prototypes to forecasts and negotiating positions. It is also not limited to online activity and includes paper records, images and even conversations.

The cost to UK plc of security breaches is “in the order of billions of pounds per annum…. (and) … it’s roughly tripled over the last year”, according to the survey.

Mr Skipsey is Global Product Manager - ISO 27001 and ISO 22301 at SGS, the world's leading inspection, verification, certification, testing and training organisation. SGS has recently been accredited by UKAS to assess ISO/IEC 27001:2013.

The information security booklet has been updated to reflect the changes since the initial standard ISO 27001 was established in 2005. Mr Skipsey welcomes the fact that the importance of management commitment, along with effective measurement, is given more prominence in the revised standard.